We don’t enable backdoors in our crypto products, RSA tells customers

Statement comes after firm said its products used RNG reported to contain NSA backdoor.

RSA, the security firm that confirmed two of its products by default use a crucial cryptography component reportedly weakened by the National Security Agency, said such design choices are made independently.

"RSA always acts in the best interest of its customers and under no circumstances does RSA design or enable any backdoors in our products," the security division of EMC said in a brief statement published Friday. "Decisions about the features and functionality of RSA products are our own."

The post came a day after RSA advised customers of the BSAFE toolkit and the Data Protection Manager to stop using something called Dual_EC_DRBG, which is the default random number generator (RNG) for creating cryptographic keys for both applications. The New York Times recently reported that the technology contained backdoor weaknesses inserted by the NSA before the National Institute of Standards and Technology formally adopted it as a standard in 2006.

Also on Friday, a person familiar told Ars that the weak RNG "is contained nowhere in RSA SecurID or the RSA Authentication Manager software; it uses a different FiPS-compliant RNG." The clarification is important, since millions of people use the SecureID token to log into sensitive networks operated by the US government and US government contractors.

RNGs, more accurately known as pseudo RNGs, are one of the most crucial parts of an encryption system, because they spawn a random sequence of numbers that form the raw materials of cryptographic keys that secure e-mails, Web sessions, and other sensitive communications. If adversaries can predict the numbers produced by an RNG they can crack the keys in a tiny fraction of the time it would otherwise take.

RSA's confirmation that the Data Protection Manager and particularly BSAFE used Dual_EC_DRBG as the default RNG has angered some cryptographers, who said it never should have been chosen on its technical merits. These critics cited its speed—which is literally hundreds of times slower than typical RNGs—and the well-founded doubts voiced about its security as early as 2007.

In a statement issued to Ars on Thursday, RSA Chief Technology Sam Curry defended the decision-making process. He said:

Plenty of other crypto functions (PBKDF2, bcrypt, scrypt) will iterate a hash 1000 times specifically to make it slower. At the time, elliptic curves were in vogue and hash-based RNG was under scrutiny. The hope was that elliptic curve techniques—based as they are on number theory—would not suffer many of the same weaknesses as other techniques (like the FIPS 186 SHA-1 generator) that were seen as negative, and Dual_EC_DRBG was an accepted and publicly scrutinized standard. SP800-90 (which defines Dual EC DRBG) requires new features like continuous testing of the output, mandatory re-seeding, optional prediction resistance and the ability to configure for different strengths.

The technical accuracy of the statement has been widely criticized by some cryptographers, including Johns Hopkins University professor Matt Green and University of Pennsylvania professor Matt Blaze.

Curry later told Wired that RSA chose Dual_EC_DRBG in 2004, "when elliptic curve algorithms were becoming the rage and were considered to have advantages over other algorithms."

RSA's statement on Friday appears to be intended to respond to critics' speculation echoed on Twitter, in Ars comments, and elsewhere that the RNG was chosen for non-technical reasons.

"Following NIST’s decision to strongly recommend against the use of the community developed encryption algorithm standard (known as Dual EC DRBG), RSA determined it appropriate to issue an advisory to all our RSA BSAFE and RSA Data Protection Manager customers recommending they choose one of the different cryptographic Pseudo-Random Number Generators (PRNG) built into the RSA BSAFE toolkit," the statement said. "We are now working with customers to ensure they are using the strongest and safest cryptographic methods possible."

Promoted Comments

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

While I generally greatly appreciate the article images Ars chooses, in this case given the way weakening an RNG used primarily by the US government contractor ecosystem has backfired on the NSA, I think this is actually the correct picture:

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

Maybe they should be left in. How else are whistle-blowers going to get their information?

Curious, so this Dual EC DRNG is the default for those programs? What about the actual encryption schemes that use the output of this PRNG? Would it affect the security of say, AES? Or does AES define its own PRNG as part of the FIPS?

I also wonder how easy it is (or not) to change from this PRNG to another, and how quickly that would propagate across whatever networks, devices, and software packages use the broken RNG.

National Security Agency (NSA) Suite A Cryptography is NSA cryptography which "contains classified algorithms that will not be released." "Suite A will be used for the protection of some categories of especially sensitive information (a small percentage of the overall national security-related information assurance market)."Incomplete list of Suite A algorithms: MEDLEY, SHILLELAGH, BATON, SAVILLE, WALBURN, JOSEKI-1.

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

Here's the thing. The really important stuff in the U.S. doesn't use those standards. Classified systems make heavy use of firewalls and hardware encryption units .

As the experts sourced in the article have said one way or another, Dual_EC_DRNG was known to have problems since mid-2006. Did they really have no other PRNG to use? What a total crock of shit.

The 'former RSA employee' in the previous Ars comment section is also a riot: "our software was ENTERPRISE QUALITY, as opposed to a crypto library made by some nerd in his basement."

If it's "enterprise quality", we should all be running, screaming, into the hills. In my experience, "enterprise quality" means "complexity for the sake of being complex, rather than complexity born of necessity."

1) The US gov. doesn't care. The NSA can already read their stuff. :-) This is only a problem for someone who wants to keep secrets from the NSA.

2) This algorithm was not "weakened", the NSA retained a private key to decode its results. Against anyone other than the NSA, the algorithm is still strong.

3) Defense in depth. Why oh why do security researches so consistently put all their eggs in one basket like this. The PRNG is so slow anyway, would running it through AES kill you? That would provide complete protection from the NSA or from anyone else, regardless of any security vulnerabilities this generator may or may not have. This sort of thing comes up all the time.

3a) Another example of this is TLS. Again and again algorithms are used singly and used in ways that highlight any weaknesses they may have. Sure, counter mode may work, but flipping one bit in the input flips one bit in the output. That is a super dangerous property. Sure, CBC works, but the attacker knows the blocks that you will be using to whiten, maybe that's a problem? Sure enough, attacks come out where that is an issue. Using two ciphers in series (CBC then ECB, or a stream cipher than AES-ECB) eliminates this property and would foil all known attacks. I understand that the cost is greater, but sheesh, computers are fast and this sort of thing is not that costly.

These are meta problems that can easily make other issues worse. This sort of thing is often the difference between exploits that work and ones that almost work.

Now, on a side note. Does anyone know the math well enough to know whether or not it is secure to generate an ECC algorithm like this without a private key? For instance, you can't make a BBS generator without knowing the factorization of the modulus, because you need to ensure it is the product of two large primes. Perhaps this has something similar, where you need to verify a property of the private key portion that makes it impossible to create a secure instance where nobody knows the private key. Something to ponder....

Curious english there. They don't *enable* backdoors in their products. What the hell does that actually mean?

They are they but they haven't used them yet?

It means that instead of, technically, putting in a "traditional" backdoor, they "merely" incorporated a known weak algorithm, which the NSA is able to crack pretty easily. This smacks more of "plausible deniablity" and/or PR spin, than of genuine ecplanation.

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

(Iranian Nuclear Reactor Scientist) "I don't know how they got the virus installed. It's as if they have a backdoor or something!"

While I generally greatly appreciate the article images Ars chooses, in this case given the way weakening an RNG used primarily by the US government contractor ecosystem has backfired on the NSA, I think this is actually the correct picture:

If the RNG reported to contain the NSA backdoor is used in the RSA software, then the RSA would not have to 'enable' it as its inherently enabled by the design of the NSA RNG. So is RSA saying they don't enable it, as a means to say their software is ok even though the NSA backdoor exists inherently in the NSA RNG and is enabled anyway?

Almost everyone in the world relies on an EMC product and doesn't even know it.

Indeed. They're one of those ubiquitous infrastructure companies which few non-specialists know, and everyone uses in multiple parts of their life without knowing it.

The list of products which incorporate BSAFE is quite surprising, also. At one time every version of Windows had it in there, satellites, as did the Playstation, Nintendo handhelds, Konami arcade machines.... RSA's BSAFE brag slide was a "who's who" list.

Isn't this in large part just a semantic quibble over the definition of "backdoor" ?

As in a relatively easy to exploit flaw, deliberately introduced into the code is -- technically -- not quite the same as some specially coded access mechanism?

I think both sides of this discussion should be a little more careful of their terminology.

Which is worse, RSA being technologically incompetent and not realizing the problems with said RNG or RSA knowing of said problems and misleading people on why they are using it?

It's pretty bad, either way -- and I would argue that, either way, it prevents "regular folk" from appreciating what's going on .

If the Good Guys (tm) let it slide, and adopt this sloppy language, they're facilitating the Bad Guys ability to obfuscate the issues in question.

Whether the elliptic curve / Dual_EC_DRBG RNG problem was caused by RSA incompetence or by actual duplicity, the sloppy language contributes to the corporate spin, and makes it easier for RSA to deflect criticism, by talking about some "back-door" that they might or might not have inserted rather than about the predictable (incompetent or deliberate) lack of security from a plainly sub-optimal design choice.

1. Put a backdoor in to a an encryption scheme.2. Push for it to become a NIST standard.3. Create FIPS guidelines recommending the use of this standard (http://csrc.nist.gov/groups/STM/cavp/do ... bgval.html).4. Wait for other countries to adopt our standards.5. Profit!!!

6. Forget that the US is also using those standards.7. Military wonders how China is stealing all of it's contractor's data.

Maybe they should be left in. How else are whistle-blowers going to get their information?

From everything I've read, you don't need a backdoor to gain access to most of the sensitive stuff that the NSA is doing. Snowden evidently used the front door.

If the RNG reported to contain the NSA backdoor is used in the RSA software, then the RSA would not have to 'enable' it as its inherently enabled by the design of the NSA RNG. So is RSA saying they don't enable it, as a means to say their software is ok even though the NSA backdoor exists inherently in the NSA RNG and is enabled anyway?

Exactly. They also "enable" it if they use an algorithm that they have reason to suspect is not optimal, and are simultaneously are under soft pressure from NSA to use it, and then agree to that.

The "backdoor" is the structure of the NIST committee that decided the standard. NSA influences NIST by sitting on the committee, and NIST influences RSA by contributing both expertise and credibility.

Here's the thing. The really important stuff in the U.S. doesn't use those standards. Classified systems make heavy use of firewalls and hardware encryption units .

You're implying that firewalls and hardware encryption units don't use the same cypher algorithms and interoperable protocols as everything else.

They don't*. You yourself started to point this out just a few posts earlier. All the NIST/FIPS algorithms, including the ones known to have backdoors, are considered Type 3 encryption and are only approved for encrypting of OUO data. Anything higher than OUO gets encrypted with Type 1 encryption and is transmitted over networks that are physically separate from the internet. The only standard encryption algorithm approved for those devices is AES (with large keys), which is not known to be compromised.

Of course there is a lot of sensitive OUO information out there that could have been compromised by this backdoor (although compared to insider threat and poor IT security overall it's a pretty academic threat), but MrTeapot was specifically talking about classified data.

* The hardware encryption units that is. The firewalls probably just talk standard IP, of course.

Did they use original numbers for PRNG or did they use their own? (Maybe missed it in the article...) That would be primary point of failure.

They used the points on the elliptical curve chosen by the NSA.

There were already concerns about this PRNG, there were concerns about default numbers, yet they used as is? Not even tried to use alternative in same standard? Not good for security reputation. And even if they chose few years before all base problems got discovered, they should have acted already back then and replaced/updated affected equipment and software.

The US Government is one of RSA's largest customers and and obviously would be the primary customer for FiPS compliant products. The government also receives recommendations on encryption products from the NSA. It's very likely that the NSA encouraged government customers to request Dual_EC_DRBG as the default mode for the BSAFE product during its development, in order to get the compromised algorithm out there and in use. I'm not sure that RSA is willfully complicit in weakening the security of its products.

In either case, while this may have achieved the NSA's objective to get this method in use in a number of products, it seems like it's still primarily being used by US Government customers. Regardless of your stance on privacy violations, the NSA should be taken to task for willfully compromising the security of the rest of the government (along with US industry) for its own convenience.

The US Government is one of RSA's largest customers and and obviously would be the primary customer for FiPS compliant products. The government also receives recommendations on encryption products from the NSA. It's very likely that the NSA encouraged government customers to request Dual_EC_DRBG as the default mode for the BSAFE product during its development, in order to get the compromised algorithm out there and in use. I'm not sure that RSA is willfully complicit in weakening the security of its products.

Does it really matter if it was willful? Given how many and how quickly the concerns were raised about it, they're either complicit or incompetent, and should face serious scrutiny going forward.

Curious english there. They don't *enable* backdoors in their products. What the hell does that actually mean?

They are they but they haven't used them yet?

I think it means that if a backdoor is present they do not enable it.I'd rather they said something like "We do our best to secure our products."If they are spy types think of the it as something like: "Do you collect information that you should not have?" "We are not interested in boring information." If they are like me figure that it's just a poorly worded statement.